« October 2008 | Main | January 2009 »
I thought this was very funny. Yesterday I came across this post from John Viega where he discusses the certificate trust model, ending the post with:
That leaves the Internet fundamentally broken.
Then, today, in a guest post on the Zero Day blog, he states:
People are declaring the entire Internet is broken, and that it will be hard to fix. This is simply not true.
An international group of researchers—speaking at the 25th Chaos Communication Club conference—published details on how they had managed to construct a rogue Certificate Authority (CA) certificate (!) using a weakness in the MD5 hashing algorithm. They estimate the attack costs $20,000 to execute today, but that the cost can be reduced to as little as $2000. With a rogue CA certificate in hand they are able to impersonate any SSL-enabled web site and conduct MITM attacks undetected (no browser warnings!).
The presentation is now available for download.
Update (30 Dec): And so is the paper, along with more information and a demonstration site (the CA certificate was purposefully constructed to expire in 2004, which essentially makes it harmless).
Update (31 Dec): Verisign fixes the problem.
Ivan Ristić is an open source advocate, entrepreneur, writer, programmer and web security specialist. He is the principal author of ModSecurity, the open source web application firewall, and the author of Apache Security, a concise yet comprehensive web security guide for the Apache web server. [LinkedIn Profile]
